requirement so that you can then change each one to CRYPT. [File away that first response that has your encrypted password. I am told you don't ever get it again.]
If you are lucky (?), the (A)ck/(N)ak NOTIFY message that goes to the "other" contact might include your password. I saw my password, as the admin contact for a domain, included in the NOTIFY message that went to the technical contact, luckily it was our own NOC. Regards, Sanjay. PS. Thanks to everyone who responded to my query on overseas telco provisioning, I will post one summary when the info is complete. --------------------------------------------------------------- Web Professionals, Inc. Direct: +1 408-863-4850 20111 Stevens Creek Blvd, Suite 145 Biz/NOC: +1 408-863-4848 Cupertino CA 95014 USA http://web.professionals.com --------------------------------------------------------------- -=- Your Outsourcing Partner for Website and Server Hosting -=-
I posted a rant about this to bugtraq almost a year ago. In the case where it happened to me I was already annoyed because an update that had been NAKed several times was applied when a single ACK was received over a month later (sent by a former employee who happened to have the month old NOTIFY). And then when I called them to ask them WTF they requested that I fax them some letterhead to "prove" that I was who I said I was. The fellow on the phone really had no idea how ludicrous that assertion was. I'm afraid I lost my temper. I put a tiny amount of effort into determining if there was anything cryptographically secure in the NOTIFY. I suspect there wasn't -- but I gave up before concluding that because their system was returning responses up to a week later, and I didn't feel like pipelining my efforts that much just to prove that the system was completely broken. I've no idea if it's still this broken. Dean On Fri, 20 Feb 1998, Sanjay Dani wrote:
requirement so that you can then change each one to CRYPT. [File away that first response that has your encrypted password. I am told you don't ever get it again.]
If you are lucky (?), the (A)ck/(N)ak NOTIFY message that goes to the "other" contact might include your password. I saw my password, as the admin contact for a domain, included in the NOTIFY message that went to the technical contact, luckily it was our own NOC.
Regards, Sanjay.
PS. Thanks to everyone who responded to my query on overseas telco provisioning, I will post one summary when the info is complete.
--------------------------------------------------------------- Web Professionals, Inc. Direct: +1 408-863-4850 20111 Stevens Creek Blvd, Suite 145 Biz/NOC: +1 408-863-4848 Cupertino CA 95014 USA http://web.professionals.com --------------------------------------------------------------- -=- Your Outsourcing Partner for Website and Server Hosting -=-
I posted a rant about this to bugtraq almost a year ago. In the case where it happened to me I was already annoyed because an update that had been NAKed several times was applied when a single ACK was received over a month later (sent by a former employee who happened to have the month old NOTIFY). And then when I called them to ask them WTF they requested that I fax them some letterhead to "prove" that I was who I said I was.
This is unfortunately standard. I've seen unsigned modifications go through for PGP-protected domains, and I've seen correctly signed modifications fail for the same domains. In fact our standard practice now is "send it until it works", since inevitably a modification which fails (incorrectly) one time will work if you just try it enough times. The funniest (?) part is when someone can put through a modification with no authentication whatsoever, then when you call to fix the damage, the InterNIC demands letterhead/CEO signatures/blood samples/etc. -- John Caruso, Director, System/Network Administration CNET: The Computer Network Email: caruso@cnet.com 150 Chestnut Street Phone: 415.395.7805 x1310 San Francisco, CA 94111 Fax: 415.623.2458
participants (4)
-
Dean Gaudet
-
Jesse M. Caulfield
-
John Caruso
-
Sanjay Dani